CVE-2026-50226
Analyzed Analyzed - Analysis Complete
AES-128-CBC Key Forgery in AcerConnect OTA

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: 8fc372e3-d9c5-46e4-9410-38469745c639

Description
Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-50226
EUVD
EUVD-2026-34231
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
acer connect_m6e_5g_firmware to m6e_ai_1.00.000019 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized actors to forge authorization credentials and extract protected binaries, potentially exposing sensitive data. This exposure could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Specifically, the ability to list catalog items and extract protected binaries from pre-signed cloud links indicates a failure in access control and data protection mechanisms, which are critical requirements under these standards.

Therefore, until the vulnerability is patched, affected systems may be at risk of violating compliance obligations related to confidentiality, integrity, and security of data.

Executive Summary

This vulnerability involves fixed AES-128-CBC encryption keys embedded within the AcerConnect OTA application. Because these keys are fixed and predictable, attackers can forge authorization credentials for any IMEI number. This unauthorized access enables attackers to list catalog items and extract protected binary files from pre-signed cloud links.

Impact Analysis

The vulnerability allows unauthorized actors to gain access to protected content by forging authorization credentials. This can lead to exposure of sensitive binaries and catalog information that should be restricted, potentially compromising device security and intellectual property.

Mitigation Strategies

Users are advised to secure their devices with strong administrative passwords and restrict IPv6 traffic where possible.

Apply the forthcoming firmware patches via the device management interface as soon as they are released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart